Responsible Vulnerability Disclosure

We care deeply about keeping our customers’ data safe and secure. Your input and feedback on our security is always appreciated.

Reporting an issue

Have you discovered a security related issue that isn’t a common non-vulnerability?

Please send a report to security@whimsical.co with details like:

  • A summary of the problem
  • A PoC or breakdown of how to replicate the issue
  • The operating system name and version as well as the web browsers name and version that you used to replicate the issue

Here’s how the process will go from there on:

  • We will acknowledge your report.
  • We will investigate the issue and may have clarifying questions.
  • Once the issue is resolved, we will post an update along with our thanks and acknowledgement of your contribution. Note that at the moment we do not offer bug bounties other than good karma.

Things we’re interested in

We are interested in any vulnerabilities related to the whimsical.co web site and application (excluding help.whimsical.co) such as:

  • Authentication issues
  • Circumvention of our Platform/Privacy permissions model
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
  • Server-side code execution

Our Ask

We’d like to ask you to search for and report vulnerabilities responsibly, with the following principles in mind:

  • Don’t try to access or manipulate other customers data; only test on your own account
  • Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
  • If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
  • Please avoid techniques that might degrade the service for others (DoS, spamming, etc.)
  • Please keep the vulnerabilities secret until you’ve notified us, and we’ve had adequate time to remedy the issues

Acknowledgements

Suhas Sunil Gaikwad